This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive. It is not meant to be a standalone installation guide, rather, it is meant to be read alongside the [[Funtoo Linux Installation]] Guide.

−

|Summary=A console screen locker

+

−

|CatPkg=app-misc/vlock

+

== Prepare the hard drive and partitions ==

−

|Maintainer=

+

This is an example partition scheme, you may want to choose differently.

−

|Homepage=

+

<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.

+

* <code>/dev/sda1</code> -- <code>/boot</code> partition.

+

* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR.

+

* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.

+

+

With UEFI:

+

* <code>/dev/sda1</code> -- <tt>/boot</tt>

+

* <code>/dev/sda2</code> -- <tt>/</tt> partition

+

+

=== Wipe the hard drive ===

+

<console>

+

# ##i##gdisk /dev/sda

+

+

Command: ##i##x ↵

+

Expert command: ##i##z ↵

+

About to wipe out GPT on /dev/sda. Proceed?: ##i##y ↵

+

GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.

+

Blank out MBR?: ##i##y ↵

+

</console>

+

{{Fancywarning|This action will destroy all data on the disk.}}

+

+

== Encrypting the drive ==

+

Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/]

{{Fancywarning|The default keymap at boot time is '''us'''. If you enter your passphrase using a different keymap, you won't be able to unlock your crypt volume if the passphrase contains any characters that are located elsewere on your keyboard layout that with the us layout.}}

+

= Create logical volumes =

+

<console>

+

# ##i##pvcreate /dev/mapper/dmcrypt_root

+

# ##i##vgcreate vg /dev/mapper/dmcrypt_root

+

# ##i##lvcreate -L10G --name root vg

+

# ##i##lvcreate -L2G --name swap vg

+

# ##i##lvcreate -L5G --name portage vg

+

# ##i##lvcreate -l 100%FREE -nhome vg

+

</console>

+

Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.

+

{{fancynote| Please, notice that above mentioned partitioning scheme is an example and not a default recommendation, change it accordingly to desired scheme.}}

+

+

= Create a filesystem on volumes =

+

<console>

+

# ##i##mkfs.ext2 /dev/sda1

+

# ##i##mkswap /dev/mapper/vg-swap

+

# ##i##mkfs.ext4 /dev/mapper/vg-root

+

# ##i##mkfs.ext4 /dev/mapper/vg-portage

+

# ##i##mkfs.ext4 /dev/mapper/vg-home

+

</console>

+

+

= Basic system setup =

+

<console>

+

# ##i##swapon /dev/mapper/vg-swap

+

# ##i##mkdir /mnt/funtoo

+

# ##i##mount /dev/mapper/vg-root /mnt/funtoo

+

# ##i##mkdir -p /mnt/funtoo/{boot,usr/portage,home}

+

# ##i##mount /dev/sda1 /mnt/funtoo/boot

+

# ##i##mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage

+

# ##i##mount /dev/mapper/vg-home /mnt/funtoo/home

+

</console>

+

Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation]

+

don't forget to emerge the following before your install is finished:

+

+

* '''cryptsetup'''

+

* '''lvm2'''

+

* '''a bootloader (grub recommended)'''

+

* '''kernel sources '''

+

+

= Editing the fstab =

+

Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:

+

+

{{file|name=/etc/fstab|desc= |body=

+

# <fs> <mountpoint> <type> <opts> <dump/pass>

+

/dev/sda1 /boot ext2 noauto,noatime 1 2

+

/dev/mapper/vg-swap none swap sw 0 0

+

/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1

+

/dev/sr0 /mnt/cdrom auto noauto,ro 0 0

+

/dev/mapper/vg-portage /usr/portage ext4 noatime,nodiratime 0 0

+

/dev/mapper/vg-home /home ext4 noatime,nodiratime 0 0

}}

}}

−

Vlock is a console screen locker.

−

You can use it inside an terminal emulator or TTY.

+

== Kernel options ==

−

Of course running it on a terminal emulator doesn't make much sense since people would still be able to access the rest of your computer if you wouldn't lock it.

+

{{fancynote| This part is particularly important: pay close attention. }}<br>

−

One reason could be that you log in as root or ssh into another computer and want to log that session.

+

{{kernelop

+

|title=

+

|desc=

+

General setup --->

+

[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support

+

}}

+

{{kernelop

+

|title=

+

|desc=

+

Device Drivers --->

+

Generic Driver Options --->

+

[*] Maintain a devtmpfs filesystem to mount at /dev

+

}}

+

{{kernelop

+

|title=

+

|desc=

+

Device Drivers --->

+

[*] Multiple devices driver support --->

+

<*>Device Mapper Support

+

<*> Crypt target support

+

}}

+

{{kernelop

+

|title=

+

|desc=

+

Cryptographic API --->

+

<*> XTS support

+

-*-AES cipher algorithms

+

}}

−

A more common use is, in case you don't use a login manager like for example GDM/Slim and log into X from TTY you can use it to lock your screen after logging it.

+

= Initramfs setup and configuration =

−

So another person can't just kill X and use your terminal while you are gone.

Revision as of 12:16, September 13, 2014

This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive. It is not meant to be a standalone installation guide, rather, it is meant to be read alongside the Funtoo Linux Installation Guide.

Prepare the hard drive and partitions

This is an example partition scheme, you may want to choose differently.
/dev/sda1 used as /boot. /dev/sda2 will be encrypted drive with LVM.

/dev/sda1 -- /boot partition.

/dev/sda2 -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [1] for more information on GPT and MBR.

/dev/sda3 -- / partition, will be the drive with LUKS and LVM.

With UEFI:

/dev/sda1 -- /boot

/dev/sda2 -- / partition

Wipe the hard drive

# gdisk /dev/sda
Command: x ↵
Expert command: z ↵
About to wipe out GPT on /dev/sda. Proceed?: y ↵
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
Blank out MBR?: y ↵

The default keymap at boot time is us. If you enter your passphrase using a different keymap, you won't be able to unlock your crypt volume if the passphrase contains any characters that are located elsewere on your keyboard layout that with the us layout.

>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2: